Did you check this documentation
Ultimately, at some point, you'll have a bucket that does not have access logging enabled because you'll always have a circular reference and then a runaway increase in logging.
Best practice is to lock down the bucket to which those access logs are being written by using version history, MFA on Delete, restricting access to service roles (which does not include delete actions) from systems where the logs can be accessed (e.g. SIEM, Amazon Redshift, Amazon OpenSearch, or other data warehouse/visualization solution).
You will still have AWS Cloudtrail logs which can also help identify access requests to the bucket to provide some level of access monitoring. Finally, the AWS Documentation on [S3.9] S3 bucket server access logging should be enabled explicitly states:
"The target logging bucket does not need to have server access logging enabled, and you should suppress findings for this bucket."
Check this blog and also make sure that the permissions through bucket policies and/or ACL is not blocking.
You could set it up to any bucket of your choice, is there any trouble with that?
- asked a year ago
- asked 5 months ago
- AWS OFFICIALUpdated 7 months ago
- AWS OFFICIALUpdated 3 years ago
- AWS OFFICIALUpdated 11 days ago
- AWS OFFICIALUpdated 2 months ago
- EXPERTpublished 10 months ago